STE WILLIAMS

The FBI has arrested the alleged three leaders of an international crime syndicate that stole huge numbers of credit card numbers – which were subsequently sold on and used to rack up tens of millions of dollars in spending sprees.

Speaking in Seattle, USA, where the Feds’ cybersecurity taskforce is based, agents said the “Fin7” group was responsible for stealing more than 15 million credit card numbers at over 3,000 locations, impacting at least 100 businesses.

The group is alleged to have used phishing attacks, sending emails with attachments that launched a customized form of the Carbanak malware on victims’ computers. The group targeted people in charge of catering in three main industries – restaurants, hotels and casinos – and followed up the emails with phonecalls to those individuals, encouraging them to open the attachment, Uncle Sam’s agents said.

Once the software nasty was opened and installed, it would seek out credit card details and customers’ personal information from payment systems, and siphon them off to the Fin7 gang – which then sold the sensitive data on online marketplaces to crooks to exploit. Infosec biz FireEye has a summary of the malware, here.

The first suspected Fin7 kingpin was arrested back in January in Germany, the authorities said, but that indictment was kept under seal while the FBI continued its investigations. The unnamed individual has since been extradited to the US and will appear in court in Seattle in May.

The subsequent investigation then led to two further arrests: one in Poland and another in Spain. Both are currently in the middle of extradition hearings. The group operated through a front company based in Israel and Russia and operating throughout Eastern Europe.

US Attorney for the Western District of Washington, Annette Hayes, said during a press conference today announcing the arrests that a main goal of the investigation was to make it plain that criminals can no longer rely on the international nature of the internet to get away with their crimes.

“We have taken three key people out,” she said. “We have made clear to folks that when they travel abroad and think they are safe, they are not. We are going to find these people and hold them to account. In the sense that they are somehow anonymous and far away and somehow we cannot touch them, we want to send that message that that is wrong.”

Fight back

Even though the estimated cost of the crime group is a drop in the bucket of what a senior director of credit card company Visa, Dan Schott, said is a $600 billion a year global business, he said that this case’s importance was that it showed the authorities were capable of fighting back “through cooperation across the private sector.”

Stop us if you’ve heard this one: Russian hacker thrown in US slammer for $59m bank fraud

READ MORE

FBI Special Agent Jay Tabb noted that the case is “the largest, certainly among the top three, criminal computer intrusion cases that the FBI is working right now in terms of loss, number of victims, the global reach, and the size of the organization, the organized crime syndicate doing this.”

He noted however that although they believe they have arrested the three leaders of Fin7, there are many more individuals involved and the investigation was ongoing. Asked about the sentences that the three individuals face, Hayes noted that it would depends on individual circumstances but that they were looking at “very long sentences” stretching to “decades.”

In terms of limiting cybercrime, both law enforcement and credit card representatives made the same recommendations: keep an eye on all your credit card transactions, report any suspicious ones to your credit card company, and do not open suspicious or unexpected downloads and email attachments. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/01/fbi_credit_card_arrests/

Pics A crypto-currency wallet heavily promoted as “unhackable” – complete with endorsements from the security industry’s loopy old uncle John McAfee and a $350,000 bounty challenge – has, inevitably, been hacked within a week.

The $120 Wi-Fi-connected Bitfi wallet is a hardware device that stores your crypto-coins and assets, and requires a passphrase to access these goodies. The phrase is used to temporarily generate, for a few milliseconds, the private key needed to unlock the data, and is then discarded. So without the passphrase, you can’t get at the gizmo’s fun bux, allegedly.

It was thus launched last week with some bold claims: it was the “most sophisticated instrument in the world” offering “fortress-like security” for your electronic coins. Its phone-like device is “the world’s first unhackable device”, the manufacturer announced – to some mockery by security experts.

The biz even got John McAfee to play along. He tweeted: “For all you naysayers who claim that ‘nothing is unhackable’ who don’t believe that my Bitfi wallet is truly the world’s first unhackable device, a $100,000 bounty goes to anyone who can hack it. Money talks, bullshit walks.”

Having received acres of press coverage, the company then raised its “bounty” to $250,000, presumably in an effort to sell more hardware. But then, of course, with sadly inevitability, the whole thing has come crashing down.

A spokesperson for Bitfi was not available for immediate comment.

First off, the “most sophisticated instrument in the world” turns out to be nothing more than a cheap touchscreen Android phone with some components pulled out – it’s powered by a Mediatek MT6580 system-on-chip, and appears to be very similar to a smartphone reference design. The Bitfi biz is charging people $120 for something that is sold for $35 wholesale.

So now we have pictures of the bare @Bitfi6 board.

It’s just a MEDIATEK MT6580.

No sign of a secure element.

Thanks to @Mindstalker612 pic.twitter.com/uhtYDxcQlm

— Ask Cybergibbons! (@cybergibbons) July 29, 2018

The bounty program also turns out to be very different to what you would imagine. The company has given very specific requirements over what constitutes a legitimate hack: you have to receive a Bitfi phone loaded with $50 in crypto-coins using an unknown passphrase, and get the coins off that device.

A good thing

Which sounds reasonable, and also serves to flag the one aspect of the Bitfi that is a genuine security plus: it doesn’t store the actual key used to access the crypto-currencies on the device itself.

However, the bounty doesn’t reflect reality. As infosec probester Andrew Tierney put it, the challenge only covers one specific method of theft – accessing coins on a stolen device – yet the thing is supposed to be completely unhackable and thus be able to see off any attempts to empty it.

“The bounty deliberately only includes only one attack: key recovery from a genuine, unaltered device. And the device doesn’t store the key,” Tierney wrote over the weekend.

“The only way to win the bounty is to recover a key from a device which doesn’t store a key. There are many, many more attacks such a device is vulnerable to. The most obvious one: modifying the device so that it records and sends the key to a malicious third party. But this is excluded from the bounty. Why is this? Because the bounty is a sham.”

Indeed, the bounty does not cover the scenario of someone intercepting shipments of the devices, backdooring them, and then siphoning off coins from victims – a genuine supply chain problem. Nor devices being stolen, tampered with, and then returned without a victim knowing, allowing the wallet to be emptied. Again, another legitimate concern given this is supposedly “unhackable.”

Despite the claims of “faultless, impenetrable security,” it turns out that the Bitfi phone is very far from an unhackable wallet.

Crucially, it has no anti-tamper measures, meaning the back can be popped off using your fingernails, the hardware reprogrammed or bugged, the case closed up again, and the handheld handed to a victim. Once the mark taps in their passphrase, whatever backdoor you’ve built into the thing can phone those details home over the internet for you to exploit.

We know this because within a week of the gadget being launched – and just a few days after security researchers received their specially repurposed phones – they started digging in and revealing:

• The unencrypted I2C protocol lines between the touchscreen and chipset can be eavesdropped on, allowing you to discern the individual passphrase that a user taps in on the display if you slip in an appropriate bug.
• There is a complete lack of tamper protection: so you can open up the device, and it will continue to work normally while you monitor what is going on within the thing. Alternatively, you can tamper with its hardware or firmware so that it steals coins, close it up as if nothing has changed, and hand it to a victim.
• You can access and dump the device’s file system from its flash storage.
• There is software present that allegedly and potentially collects personal information, tracks the whereabouts of the device, and beams it off to Baidu and Adups servers in China. There are also standard MediaTek libraries and example apps installed.
• And, yes, inevitably, gain root access to the device to reprogram it.
• A backdoored device will still connect to its online backend and access the owner’s Bitfi dashboard account, which manages their crypto-dosh.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/01/unhackable_bitfi_wallet/

An over-reliance on artificial intelligence and machine learning for the wrong uses will create unnecessary risks.

One of the shortcomings of the cybersecurity industry is a preoccupation with methodologies as solutions, rather than thinking about how they can be most useful. This scenario is happening right now with artificial intelligence (AI) and machine learning (ML) and reminds me of discussions I heard about firewalls back in 2003.

In 2003, pattern matching was the primary methodology for threat detection. As it became possible to perform pattern matching within hardware, the line between hardware-driven solutions (like firewalls) and software-based solutions — such as intrusion-detection systems — eroded.

Lost in this evolution was the fact that intrusion-detection systems went beyond pattern matching and included a combination of methodologies, including anomaly detection and event correlation, that never made it into firewalls. As a result, firewall-based pattern matching became the default solution for threat detection, as opposed to one important part of a whole.

This history is important because AI (really, ML) is simply another methodology in the evolution of tools that address specific aspects of the information security workflow.

Finding the Value of AI and ML in Security
Artificial intelligence is defined as having machines do “smart” or “intelligent” things on their own without human guidance. Machine learning is the practice of machines “learning” from data supplied by humans. Given these definitions, AI doesn’t really exist in information security and won’t for a long time.

ML solves a subset of well-defined security challenges far more effectively than existing methodologies.

Most of the time when you hear AI/ML referenced in marketing material, what’s being described is heuristics, not computational statistics. Heuristics, while much simpler than AI, works very well on a variety of security activities while being far less computationally intensive than data science-based methodologies. 

ML is simply one tool out of the methodology toolbox for identifying undesirable activity and is most successful in tackling well-bounded and understood problems.

Before I’m written off as simply a critic of AI/ML in security, I’ll note that as one of the first employees at Cylance, I witnessed firsthand the stunningly successful application of ML to the problem of malware detection. However, that technical success was anchored in the boundedness of the problem being studied and solved. Specifically:

• Structurally bound: The type of data and structure either don’t change or slowly evolve over years. In this case, the structure of data is defined by file format specs.
• Behaviorally bound: In a good use case for ML, the data being modeled will only appear as the result of a limited set of actions, allowing data points to be predictably mapped to understood behaviors.
• Subversive-free influence: This is the most important factor and is almost exclusive to the context of information security. We face malicious humans who have an incentive to find and exploit weaknesses in the ML model. With that said, it’s incredibly difficult to make enough changes to a file that obscure it from statistical analysis while remaining valid enough to load by an operating system.

Malware analysis and endpoint detection and response is one example of an infosec challenge that meets the three constraints above — which is why machine learning has been incredibly effective in this market.

Applying that same thought process to the network is dangerous because network data is not structurally or behaviorally bound and the attacker can send any sequence of 0s and 1s on the network. So does that mean AI and ML are a dead end for analyzing network data?

Yes and no. If the approach is to just use these powerful technologies to spot deviations from a baseline for every user or device, then we will fail miserably. The false positives and negatives produced by this “intelligent” approach will require a human to analyze the results before acting.

For instance, traffic analysis that alerts based on network anomalies may tell you there is too much traffic from an IP address that has never acted like this in the past. Often, the problem is that a new backup process is being rolled out. That puts us right back at the same skills crisis epidemic that AI was promised to solve.

Instead, what if we used AI and ML to determine good versus bad by comparing across the environment and specifically by comparing entity behaviors to those from entities that are most similar? This allows the system to automatically learn about changes such as the new backup process.

Not all infosec ML use cases are created equal — technically or philosophically. Like the firewall of 2003, machine learning does have some well-matched use cases that are advancing the state of the art in enterprise protection.

However, an over-reliance on machine learning for poorly matched use cases will burden the enterprise with unnecessary additional risk and expense while contributing to other lasting negative impacts such as the atrophying of methodologies that compensate for ML’s weaknesses.

Related Content:

• The Best and Worst Tasks for Security Automation
• The Double-Edged Sword of Artificial Intelligence in Security
• Why Artificial Intelligence Is Not a Silver Bullet for Cybersecurity
• Make Security Boring Again

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info. 

Gary Golomb has nearly two decades of experience in threat analysis and has led investigations and containment efforts in a number of notable cases. With this experience — and a track record of researching and teaching state-of-the art detection and response … View Full Bio

Article source: https://www.darkreading.com/endpoint/how-ai-could-become-the-firewall-of-2003/a/d-id/1332417?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The hospital company’s second breach this year is far larger than the first.

UnityPoint Health, a multi-hospital group serving parts of Iowa, Illinois, and Wisconsin, is alerting 1.4 million patients to the second data breach the company has suffered this year. And it’s not just the second breach; it’s the second breach initiated through a phishing attack.

In the first attack, which occurred in April, was reported to jeopardize employee email accounts which could lead to the compromise of birth dates, Social Security numbers, medical record numbers, treatment and surgical information, diagnoses, lab results, medications, providers, insurance information, and service dates.

The most recent breach also targeted employee email accounts, with the most recent exploit possibly adding payment card information to the lost data mix.

UnityPoint reports that it has reset email passwords, added anti-phishing training for employees, and deployed additional anti-phishing technology.

For more, read here, here, and here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/unitypoint-health-reveals-14-million-patient-breach/d/d-id/1332457?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

An attacker broke into Reddit systems and accessed user data, email addresses, and a database of hashed passwords from 2007.

If you haven’t changed your Reddit password since 2007, now would be a good time.

Reddit today disclosed a security incident discovered on June 19, 2018. The company reports that between June 14 and 18, 2018, an attacker compromised employee accounts held with its cloud and source code hosting providers. It reports two-factor authentication was in place.

“Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,” Reddit reports in a blog post, encouraging token-based 2FA.

The attacker did not gain write access to Reddit systems, the report continues, but did manage to infiltrate two key areas of user data: all Reddit data from 2007 and before, including account credentials and email addresses, as well as email digests Reddit sent in June 2018.

Because the attacker also had read access to Reddit’s storage systems, he or she could reach other data including Reddit source code, internal logs, configuration files, and other employee workspace files. Reddit has reported the breach to law enforcement and is alerting affected users to change their passwords, whether or not they’re currently using the site.

Read more details here.

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/reddit-warns-users-of-data-breach/d/d-id/1332458?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

HackNotice leverages a database of 20,000 hacks to alert users when a site they visit has been compromised.

A new HackNotice extension for Google Chrome notifies users when websites they access have been recently compromised.

Nobody wants to enter their data on a hacked site but unless they stay current on security news, most people don’t know which portals are safe and which are potentially harmful. If they know an organization has been breached, most people choose to take their business elsewhere: a new survey shows half avoid services after a security incident is reported.

HackNotice aims to arm people with more data to make choices about the businesses they use. It was founded by Steve Thomas, former cofounder of credential monitoring service PwnedList and most recently, leader of a third-party risk monitoring team at Security Scorecard. The startup launched in July 2018 to make threat intelligence more accessible to the average user.

Many of the organizations providing breach intelligence cater to businesses, Thomas explains. PwnedList, SecurityScorecard, Shodan, and Metasploit are all examples of innovation intended to protect the enterprise from cyberattacks. Most people don’t have access to the same insight.

“A lot of consumers were left in the duct or didn’t have any services geared toward them,” he says. “I wanted to focus on helping consumers make use of threat intelligence businesses have had access to for a long time. It’s really about awareness.”

HackNotice users can learn whether their data has been compromised in a breach and access practical advice: how and whether they should reset their password, check their credit card statement, and/or report a stolen card.

Now they can learn whether a website has been recently compromised before they submit any personal information: starting today, HackNotice is rolling out a free Chrome extension designed to alert users when they access a recently hacked site. It’s available for public use.

To keep its users updated on recent cyberattacks, HackNotice leverages a database containing 20,000 hack notices and hack reports, Thomas explains. This database powers the Chrome extension, which sits in the background while you browse. If you visit a site that has been hacked within the previous 90 days, the tool will send a notification to let you know.

“If I’m about to buy something from a site and put credit card information in there, I want to know about a recent hack,” Thomas says.

HackNotice’s breach database is updated daily with newly discovered incidents. Data is pulled from several sources: state government disclosure sites, privacy rights website, news media. Hacks are reviewed and verified manually before they’re added to the database, which contains both new cyberattacks and new information on earlier attacks, he adds.

It’s worth noting that 90 days is the extension’s default timeframe for alerting users to recent hacks. You can adjust the tool to display notifications on a site regardless of when it was hacked, an option Thomas points out was not the default as he didn’t want to overwhelm users.

“Unfortunately, a lot of sites have had at least one hack in the last 10 years,” he says. If they prefer, users may also create a “watchlist” to keep them updated on frequently visited sites.

“We are starting with Chrome, but we are absolutely open to other browsers,” says Thomas of plans for the future. “We’ve already planned out how to release the extension for Firefox, so assuming there is a demand that would be our next browser.”

He’s also brainstorming ways to bring HackNotice’s info into users’ daily lives. The focus is less on getting people to visit the site, and more about integrating hack data into their activity. For example, one idea is to create a stock ticker that shows recent breaches along with stock data.

Related Content:

• 5 Steps to Fight Unauthorized Cryptomining
• 10 More Women in Security You May Not Know But Should
• Yale Discloses Data Breach
• New Spectre Variant Hits the Network

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/endpoint/new-chrome-extension-alerts-users-to-hacked-sites/d/d-id/1332455?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Dmytro Fedorov, Fedir Hladyr, and Andrii Kolpakov are senior members of the notorious FIN7 cybercrime group, aka the Carbanak Group.

US law enforcement Wednesday announced the arrests of three leading members of a prolific cybercrime group believed responsible for stealing data on some 15 million payment cards from more than 100 companies including Saks Fifth Avenue, Chipotle Mexican Grill, Arby’s, and Red Robin.

Indictments unsealed today in the US District Court in Seattle identified Ukrainian nationals Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kolpakov, 30, as members of FIN7, a hugely successful financial threat actor also known as the Carbanak Group.

The group is believed responsible for breaching some 6,500 point-of-sale terminals at more than 3,600 locations belonging to companies in 47 states in the US alone. Most of its victims have been from the hospitality, restaurant, and gaming industries. FIN7/Carbanak Group also claimed dozens of victims in the United Kingdom, France, and Australia.

In a fact sheet outlining the group’s tactics, US prosecutors described FIN7 as one of the most “sophisticated and aggressive” threat actors in the world with dozens of operatives, a global C2 infrastructure, and an arsenal of sophisticated malware tools and tactics. It even established a front company called Combi Security to recruit hackers under the guise of being a legitimate penetration-testing firm. Among the many purported clients that Combi listed on its website were multiple US victims, prosecutors have alleged.

Fedorov, Hladyr, and Kolpakov each faces 26 felony counts related to wire fraud, computer hacking, access device fraud, aggravated identity theft, and conspiracy for their part on the massive criminal operation.

Hladyr, FIN7’s alleged systems administrator and the individual supposedly responsible for maintaining the organization’s servers and communication channels, was arrested in Dresden, Germany, earlier this year at the behest of US authorities. He is currently being detained in Seattle and will go to trail October 22.

Fedorov, described by prosecutors as a high-level FIN7 hacker and supervisor of individuals tasked with breaching victim networks, was arrested in Bielsko-Biala, Poland, earlier this year and is currently being held there pending extradition to the US.

Spanish authorities in June arrested Kolpakov in Lepe, Spain, where he remains detained pending a US request for his extradition.

The arrests and subsequent indictments mark a huge victory for law enforcement in the US and elsewhere. “The naming of these FIN7 leaders marks a major step towards dismantling this sophisticated criminal enterprise,” said Jay Tabb, special agent in charge at the FBI’s Seattle field office in a statement announcing the arrests.

Security vendor FireEye, which has been tracking FIN7 since 2015, described the group’s activities as being primarily focused on payment card data theft. One of its most recent victims was Hudson’s Bay—the owners of brands such as Saks and Lord Taylor. The attack netted the group 5 million credit card records, which it later sold in underground markets. But not all of FIN7’s attacks are payment card-related.

Earlier this year, researchers at FireEye discovered FIN7 targeting people at multiple organizations who were responsible for filing required company financial details with the US Securities and Exchange Commission. In that specific case, the goal appears to have been to try and steal information that would have helped the group profit through insider trading, FireEye said in a blog Wednesday.

When FIN7 has not been able to accomplish its initial goal of stealing payment card data from a victim organization, the group has also been observed going after finance department personnel at the same firm, FireEye says.

Personalized Hacks

FIN7’s typical modus operandi has been to send highly sophisticated phishing emails to users at target organizations to try and get them to click on Word documents and other attachments with embedded malware. “Their phishing has often exploited urgent, high value business matters tailored to their chosen targets,” FireEye said.

For example, FIN7 operatives have contacted managers at individual stores about being overcharged for something and attached a malicious document to it purporting to be the “receipt.” When targeting a restaurant, the phishing email might refer to a food poisoning complaint and lure recipients to click on the malicious attachment to get more details. Often, FIN7 operatives have gone to the extent of placing phone calls to targeted individuals either before or after sending them a rouge email in an effort to lend greater credibility to their phishing lure.

Once a system is infected, FIN7 uses its C2 infrastructure to download an array of additional sophisticated malware tools for exfiltrating data, conducting surveillance, enabling lateral movement and carrying out other malicious activities. Some of the tools have the ability to take screen shots and make video recordings of user activity so FIN7 can locate and extract payment data, financial information, and other data of interest to the group.

FIN7’s exceptional social engineering skills and methods to evade detection have contributed to its growth as a sophisticated cybercrime enterprise, said Kimberly Goody, manager of financial crime analysis at FireEye.

“Financially-motivated threat actors are becoming extremely advanced and are capable of inflicting significant harm on organizations through vast, carefully orchestrated campaigns,” she said. “FIN7 is a prime example of this.”

FireEye does not expect the arrests of Fedorov, Hladyr, and Kolpakov to necessarily lead to a cessation of FIN7’s activities. What’s more likely is that some of the remaining members will continue with the criminal operation using modified tactics, techniques, and procedures. It is also plausible that the group will split up into multiple smaller operations and carry out separate operations, FireEye said.

Related Content:

• ‘Silence’ Trojan Mimics Carbanak to Spy, Steal from Banks
• Hudson’s Bay Brands Hacked, 5 Million Credit Card Accounts Stolen
• Researcher to Release Free Attack Obfuscation Tool
• 8 Ways Hackers Monetize Stolen Data

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/feds-indict-three-ukrainians-for-cyberattacks-on-100+-companies/d/d-id/1332461?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Mozilla’s Firefox browser doesn’t have site isolation security yet, but plans to enable it are in the works.

That’s according to an email seen by the Bleeping Computer news site, which ties its development to Project Fission, not to be confused with the separate Firefox security overhaul Project Fusion that will integrate the Tor browser to transform its current weak privacy mode.

Site isolation – stopping a malicious website from accessing data in another tab – already exists in a basic form through the longstanding concept of the Same Origin Policy.

Same Origin Policy stops one website from siphoning data from a site open in a separate tab, without which, say, logging into a banking website while running a second malicious website would become a huge risk.

This works well until an attacker discovers a security vulnerability that allows them to break this protection as has been the case with occasional Universal Cross-site Scripting (UXSS) vulnerabilities and Remote Code Execution (RCE).

But what seems to have thrown the cat among the sleeping pigeons is the revelation of the Meltdown and Spectre CPU vulnerabilities in early 2018.

The fact that Google’s own Project Zero researchers jointly authored those discoveries might explain why it’s currently ahead of Firefox in having enabled site isolation by default in Chrome 67, released in May.

The downside of site isolation is that it increases memory demands, which is why Fission encompasses redesigning this part of the browser’s inner workings as well as boosting its security.

As a Mozilla mailing on the topic noted:

The problem is thus: In order for site isolation to work, we need to be able to run *at least* 100 content processes in an average Firefox session.

To stop the memory overhead becoming a burden, each process had to be pared to around 7MB from today’s best estimate of between 17MB and 21MB on Windows.

Since January, Mozilla’s developers have been putting in place various mitigations to battle the Spectre and Meltdown cache-timing weakness. They would no longer be needed, which is a small comfort.

Nevertheless, from the latest information, it appears that Firefox is still some months away from integrating site isolation in the shipping version of Firefox.

All this after Firefox Quantum, which appeared in November 2017, was supposed to bury the browser’s much commented upon memory consumption woes once and for all.

It hasn’t worked out that way. Browsers have been battling memory demands as long as anyone can remember and every time they seem to be getting on top of it, another problem pops up to set them back.

Site isolation will be well worth it in the end. It’s just that that longed-for ‘end’ might be some way off yet.

Follow @JohnEDunn
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/VG160UhW_fk/

High schoolers, do you know what tends to impress college admissions people? Flipping burgers. Or any summertime job, for that matter.

You know what’s less likely to impress them? Your parents shelling out the $985 it takes to send you to the impressive-sounding “Congress of Future Science and Technology Leaders.”

As the Seattle Times reported on Sunday, 3,000 high schoolers from across the country recently traveled to a sports arena in Lowell, Massachusetts to attend an event with that weighty name, most of their parents having paid that hefty admission price.

They all had good grades, but they weren’t there because of their smarts or hard work. They were there because they’d been invited, courtesy of their contact information having been harvested from surveys they filled out in the hopes of learning about colleges and scholarships.

The conference organizers slathered on the flattery in the invitations sent to these target-marketed kids: as the Seattle Times describes it, the attendees had received letters signed by a Nobel Prize-winning physicist who congratulated them on being nominated for “a highly selective national program honoring academically superior high school students.”

“Highly selective,” it turns out, must be another way to say “you’re headed for college and likely to shell out for a fancy-sounding event if you think it will give you an edge to get in.”

Many of the students in that audience had filled out a college-planning questionnaire, called MyCollegeOptions, while others took surveys that came with the SAT or the PSAT tests administered by the College Board. The personal details they entered wound up being sold and shared with the Congress of Future Science and Technology Leaders event organizers.

As the Seattle Times notes, the recruiting methods for some of these student-recognition programs offer a glimpse into “the widespread and opaque world of data mining” for millions of minors, where students’ profiles may be used to target them for both educational and noneducational offers. MyCollegeOptions, for one, says it may give access to student data to student-loan services, test prep and other companies.

The Seattle Times talked to Marianne Stephens, the college counselor at Shorewood High School, in Shoreline, Washington, who said that she finds all of this “troubling.”

After Shoreline High students started getting mailings from these leadership events, Stephens posted a “Sham Alert” on the school’s website.

These are some of the official-sounding organizations that have been sending emails or “thick envelopes with official-looking seals” to her students:

• Advanced Emergency Medicine
• Congressional Youth Leadership Council
• Congress of Future Scientists
• National Academy of Future Physicians and Medical Scientists
• National Academy of Future Scientists and Technologists
• National Society of High School Scholars
• National Student Leadership Conference
• National Youth Leadership Forum
• Several programs owned by Envision

The letters may mention the “honor” of being selected, but Stephens says make no mistake: the legitimate-seeming communiqués are “essentially well-packaged marketing schemes.”

The award is not an award. It is an advertisement for a conference or a guide that will cost you money.

Beware of the claims. Most of these programs are not selective and do not have minimum criteria; they are open to anyone willing to pay.

These aren’t scams. There’s nothing particularly illegal about what the events are doing. As the Seattle Times notes, there’s no federal law regulating consumer data brokers.

It brings to mind Facebook, which has gotten into a world of trouble lately with revelations about the growing list of data analytics firms siphoning off its user data. The social platform’s data-sucking parasites have been on a spectrum when it comes to being more or less upfront or deceptive about what they’re up to, from Cambridge Analytica’s shadowy practices on up to Crimson Hexagon working in relative transparency.

Regardless of how above-board such data-analytics outfits are, people have only within the past few months begun to realize just how much of Facebook user data has been flowing from the very permeable platform, and they’re none too happy about it.

Lacking a federal law to regulate these data brokers as we now are, it’s worth noting that in June, Vermont became the first state to enact a data-broker law. Given the revelations about how much user data Facebook has let slip into the hands of data brokers, it wouldn’t be surprising if more states followed suit.

According to the Info Law Group, the new Vermont law will require data brokers to provide information about their data collection activities, opt-out policies, purchaser credentialing practices, and security breaches, as well as to protect consumers against security breaches by requiring data brokers to implement a comprehensive information security program.

Data brokers aren’t mandated to offer opt-out, but they’ll be required to provide Vermont with their policies and procedures, including how consumers can opt-out, which activities and sales the opt-out applies to, whether data brokers permit a third-party to opt-out on the consumer’s behalf, and a list of data collection, databases, or sales activities from which a consumer may not opt out.

At any rate, these student-focused events aren’t new. The New York Times reported about the issue of pricey “leadership” type events at least as far back as 2009.

But given the Cambridge Analytica revelations, the way that such events obtain information on who to market themselves to is getting fresh scrutiny. In May, the US Department of Education’s (USED) Privacy Technical Assistance Center (PTAC) put out a notice to the effect that filling out the surveys that data brokers use to collect and sell student information isn’t mandatory. Rather, parents can opt out.

But that’s not always clear, according to the PTAC:

We have heard from teachers and students… that the voluntary nature of these pre-test surveys is not well understood, and that each of the questions requires a response, and the student must affirmatively indicate in response to multiple questions that the student does not wish to provide the information.

In fact, the surveys that precede the SAT and ACT tests are dealing with data that’s protected under the Protection of Pupil Rights Amendment (PPRA), which requires that schools and contractors “obtain written parental consent before minor students are required to participate in any ED-funded survey, analysis, or evaluation that reveals” certain sensitive information, including religion and parental income. Both of those categories of information are included in the SAT and ACT pre-surveys.

Mind you, not all the events that feed off of the survey data to market themselves to potential attendees are shams, Stephens said in her Sham Alert. Some are legitimate events with high-quality programming. Like anything, it pays to do some digging to find out if they’re worth the cost of admission:

On occasion, mailings are legitimate. Ironically, some of the legitimate recognitions may not be as fancy as the sham ones. Do internet searches for reviews of events and organizations, and see if anything comes up when you search for the name of the organization and the word ‘scam.’

Would Stephens send her own kid to something like this? Nope. She knows that colleges have “loads of respect for students who work in the summer” and know which fancy-sounding events are really wearing the Emperor’s clothes:

Don’t be so scared of college admissions that you think you need something like this to get in. College admissions representatives know that these are marketing ploys, and realize that not everyone has access to enrichment… You do not need to do something flashy to get colleges attention.

But you do need to do something to keep your kids information from being used to do a hard sell on this kind of thing.

Namely, you have to start keeping their information much closer to the vest, whether it’s personal details entered into Instagram, other social media accounts, or an endless array of online places, or be it opting out of filling in questionnaires that ask for information they have no real need for… outside of selling it later on, that is.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/0vF1LJ_dxSI/

Sophisticated malware has taken down systems in at least two Alaskan municipalities in an attack that officials say is the worst they have ever seen. The Alaskan Borough of Matanuska-Susitna (Mat Su) and the City of Valdez have both been hit.

At Mat Su, everything from email to the electronic door key swiping system was affected. The Borough first noticed infections in its endpoints on 17 July when an update to its antivirus software spotted a common Trojan banking program on Windows 7 machines (but not its Windows 10 computers).

The software didn’t notice a range of other malware that the Trojan was infecting endpoints with. It was only a few days later that the Borough noticed issues with 60 of its 500 computers, information technology director Eric Wyatt told local radio reporters.

On 23 July, the IT department wrote a script to clean machines and reset all passwords. The malware reacted aggressively, locking up files on nearly all of its workstations and 120 of its 150 servers. That led the Borough to isolate all machines, disconnect its network from the internet and call the FBI.

The attack took down the Borough’s email and disrupted multiple systems including the property querying application, library system, landfill weights and fees application, and its animal shelter’s computers. Many public services were payable only by cash or cheque and the infection forced public employees to break out old typewriters from closets and to write receipts across some of its 73-building infrastructure. Wyatt said:

We have widespread disruption of offices, so that means a lot of things that citizens do with the borough is back to manual methods.

The Borough announced that computer systems were down on 24 July, and then explained that it was under attack on 25 July. Since then, it has been working with multiple organizations to fix its infrastructure.

Mat Su reported on Monday 30 July that most of its data was safe, thanks to a multi-tiered backup system. Credit card data was not stored on its systems and was therefore not at risk. It had to create an alternative email system with the same domain, as its existing Exchange system is completely unrecoverable.

The city of Valdez posted a press release on Facebook on July 27 adding that it had been hit by the same malware as Mat Su. It confirmed that all city computers and servers had been shut down and city email was unavailable. It was taking payment for services at City Hall and was asking customers to bring copies of their billing statements. The contact given for Valdez city representative Sheri Pierce was a Gmail address.

Over 200 organizations have been hit with the malware, according to evidence gathered by the Borough from its own systems. Wyatt added:

I have heard of numerous attacks in the state and throughout the nation. My information says that it’s very widespread in the state and in the United States, and it’s the same type of attack. It’s a multi-pronged attack.

Wyatt, who has spent 35 years dealing with cyberattacks in roles including military positions, said that the malware had been lurking on its network since as early as 3 May.

In radio interviews, Wyatt added:

I will tell you is that this isn’t some kid in his mother’s basement. This is very sophisticated and well-funded.  It would come from somewhere I believe outside the US. When we call it ransomware, that’s not its purpose. I believe its purpose was to disrupt our way of life.

Governments have been hit by malware that encrypts files before. In March, Atlanta suffered an attack that cost it $2.6m, and ransomware took down Baltimore’s 911 system in the same month.

Mission critical services should be up and running internally by end of this week. Wyatt concluded that it will be at least three weeks to get back to “something that looks like normal.”

Follow @DannyBradbury
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/d9IG_yi2sR8/